Firefox Now Supports HttpOnly Cookies
You may be surprised to learn that Microsoft Internet Explorer has supported a a security feature called HttpOnly cookies since IE 6 SP1. Firefox 18.104.22.168, which was released just the other day, now supports it.
When a cookie is
To set a
HttpOnly cookie with ColdFusion you need to use
cfcookie doesn't yet support
<cfheader name="Set-Cookie" value="safe=maybe;HttpOnly">
It would be nice if the
cfcookie tag simply had an attribute HttpOnly=true/false. Go make a wish. While you are at it it would also be nice to have a setting to make the
jsessionid cookies httpOnly, or secure cookies.
Update: CF9 added a httponly setting to the CFCookie tag. And CF 9.0.1 adds HttpOnly to CFID and CFTOKEN cookies automatically.
Here's a MSDN doc with some additional info about
Firefox's implementation of
HttpOnly however still leaves open a big hole, as RSnake points out, you can do an
XMLHttpRequest to get the cookie values from the HTTP response headers. When I test in IE 6 (RSnake's example doesn't work in IE), I don't have access to the
Set-Cookie from the AJAX HTTP response header. +1 for MSIE.
- Client Variable Cookie CFGLOBALS Includes Session Ids - July 14, 2011
- Setting up HTTPOnly Session Cookies for ColdFusion - September 13, 2010
- Firefox 3.5 Introduces Origin Header, Security Features - June 30, 2009
- AJAX on IE - back to the IFRAME - August 17, 2005
- Firefox Aurora now Supports Content Security Policy 1.0 - May 31, 2013
- CFSummit 2016 Slides
- Securing Legacy CFML - dev.Objective() 2016 Slides
- My CFSummit 2015 Slide Decks
- Adding Chrome Custom Search for CFDocs
- Disable Flash Remoting on ColdFusion Servers
- HackMyCF Adds SSL/TLS Scanner
- IncompatibleClassChangeError after ColdFusion 11 Update 5
- Scope Injection in CFML